The European Cybersecurity Act (CSA), adopted in 2019, was designed as the foundation of a unified cybersecurity framework across the EU. It pursued two primary objectives: establishing ENISA as the central cybersecurity authority and creating a pan-European certification framework for digital products and services. At the time, this approach was a rational attempt to reduce market fragmentation and increase trust across Member States and industry stakeholders.
However, by 2024–2026, it became clear that the original model no longer scales. Both the threat landscape and the regulatory environment have evolved significantly. Cyberattacks increased by approximately 150% in 2024 alone, while multiple new regulatory instruments emerged in parallel, including NIS2, the Cyber Resilience Act, and the Cyber Solidarity Act. As a result, the CSA is now embedded in a far more complex and overloaded regulatory ecosystem than initially anticipated.
Today, European cybersecurity is no longer a coherent, unified model, but rather a set of overlapping regulatory layers. Organizations are required to comply simultaneously with multiple frameworks, each addressing cybersecurity from a different angle: risk management, product security, incident handling, or certification. This creates systemic inefficiencies, including duplicated processes, inconsistent interpretations of risk, and increased compliance costs. Even within a single organization, different teams may operate under different regulatory logics, increasing internal complexity and reducing operational efficiency.
The European Commission has partially acknowledged this issue and proposed technical mitigation measures, such as the introduction of a single reporting entry point via ENISA, allowing organizations to fulfill multiple reporting obligations through a unified interface. However, this approach addresses interaction complexity rather than the underlying architectural fragmentation. The core issue—overlapping and intersecting regulatory requirements—remains unresolved.
An additional layer of complexity arises from the evolution of ENISA itself. Originally conceived as a center of expertise and coordination, the agency’s mandate has significantly expanded over time. ENISA is now involved in policy development, cross-border coordination, incident response support, certification frameworks, and stakeholder engagement. While this expansion reflects the growing importance of cybersecurity, it also introduces structural inefficiencies. A single entity operating across such a wide functional spectrum inevitably faces blurred priorities and resource constraints.
This is particularly evident in the area of certification. The European Cybersecurity Certification Framework (ECCF) was intended to serve as a unified trust mechanism, enabling companies to demonstrate compliance once and operate across the entire EU market. In practice, implementation has been considerably slower than expected. The first fully operational scheme was introduced only in 2024, while key domains such as cloud services, digital identity, and 5G remain under development.
For the market, this translates not just into delays, but into structural uncertainty. Organizations cannot effectively plan investments in security and compliance when requirements are evolving slowly and without sufficient transparency. Under such conditions, certification ceases to function as a simplifying mechanism and instead becomes an additional layer of risk.
At the same time, a deeper transformation is taking place in the nature of cyber risk itself. Initially, regulatory efforts focused primarily on technical dimensions such as vulnerabilities, standards, and system architecture. Today, the focus is shifting toward higher-level concerns, including supply chain dependencies, origin of technologies, geopolitical exposure, and systemic resilience.
In practical terms, cybersecurity is no longer limited to the question of whether a system is secure. It increasingly includes whether that system is controllable, resilient, and strategically independent. This shift is particularly relevant in sectors such as cloud computing, telecommunications, and artificial intelligence, where reliance on external providers can introduce systemic risk.
Against this backdrop, the role of certification is also evolving. While it remains formally voluntary, in practice it is increasingly becoming a de facto requirement. This shift is not driven directly by the CSA itself, but by the interaction with other regulatory instruments and market expectations. As a result, certification is gradually transforming from a quality signal into a market access mechanism.
This creates a structural tension. Businesses seek predictability, flexibility, and cost efficiency, while regulators are moving toward stronger control, standardization, and enforceability. The outcome is likely to be a hybrid model in which certification remains formally voluntary but functionally mandatory in critical sectors.
The planned revision of the CSA in 2026 should be understood in this context. It is not a routine legislative update, but an attempt to recalibrate the regulatory architecture. The focus is expected to be on clarifying ENISA’s role, accelerating certification processes, simplifying reporting mechanisms, and integrating new categories of risk, particularly those related to supply chains and geopolitics.
At the same time, it is important to recognize the inherent limitations of such reforms. Regulation inevitably lags behind technological change and threat evolution. Therefore, the objective of the revision is not to eliminate systemic gaps, but to make them more manageable and predictable.
From a business perspective, several implications follow. Compliance complexity will continue to increase, even if certain processes become more streamlined. The growing number of regulatory requirements and their interdependencies necessitate more mature governance structures. Supply chain risk management will become a core component of cybersecurity strategy, requiring organizations to assess not only their own posture but also that of their vendors and partners.
Certification will increasingly function as a strategic asset rather than an optional control. It will play a critical role not only in demonstrating security posture but also in enabling market access, particularly in regulated or sensitive sectors. Finally, cybersecurity will continue to move beyond the boundaries of IT and become an integral part of corporate governance, influencing strategic, financial, and operational decisions.
In this context, the most significant change introduced by the CSA revision is not in specific requirements, but in the role of cybersecurity itself. It is transitioning from a technical discipline into a regulatory and economic instrument—one that shapes market structure, manages systemic risk, and influences competitiveness.
The revision of the Cybersecurity Act therefore reflects a broader shift. The EU is moving away from a framework-driven approach toward a risk- and resilience-based model. Whether this transition will be fully successful remains uncertain. However, one conclusion is already clear: in the European market, cybersecurity is no longer just a compliance requirement—it is a prerequisite for participation in the economy.
